malwarewikiaorg-20200223-history
Clop
Clop '''or '''CIop is a ransomware that runs on Microsoft Windows. It was discovered by MalwareHunterTeam. It is part of the CryptoMix family. The word clop means bug in Russia. It is aimed at English-speaking users. It indicates that the attackers are targeting entire networks rather than individual computers. It has been used as a final payload by an APT group named TA505 Payload Transmission Clop is distributed using executables that have been code-signed with a digital signature. Doing so makes the executable appear more legitimate and may help to bypass security software detections. Infection It will first stop numerous Windows services and processes in order to disable antivirus software such as Windows Defender and Malwarebytes. and close all files so that they are ready for encryption. To disable Windows Defender, it configures various Registry values that disable behavior monitoring, real time protection, sample uploading to Microsoft, Tamper Protection, cloud detections, and antispyware detections. It creates the following registries: cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f cmd.exe /C reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d "0" /f cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f If the user has Tamper Protection enabled, it will just reset Windows Defender. In addition to Windows Defender, Clop is also targeting older computers by uninstalling Microsoft Security Essentials. As Clop is run with administrator privileges by the attackers, this command will remove the software without a problem: cmd.exe /C "C:\Program Files\Microsoft Security Client\Setup.exe" /x /s To remove Malwarebytes, it uses the following command: C:\Program Files\MalwareBytes\Anti-Ransomware\unins000.exe /verysilent /suppressmsgboxes /norestart Newer versions of Clop can terminate a total of 663 processes, which include new Windows 10 apps, popular text editors, debuggers, programming languages, terminal programs, and programming IDE software. Some of the more interesting processes that are terminated include the Android Debug Bridge, Notepad++, Everything, Tomcat, SnagIt, Bash, Visual Studio, Microsoft Office applications, programming languages such as Python and Ruby, the SecureCRT terminal application, the Windows calculator, and even the new Windows 10 Your Phone app. ACROBAT.EXE ADB.EXE CODE.EXE CALCULATOR.EXE CREATIVE CLOUD.EXE ECLIPSE.EXE EVERYTHING.EXE JENKINS.EXE MEMCACHED.EXE MICROSOFTEDGE.EXE NOTEPAD++.EXE POWERPNT.EXE PYTHON.EXE QEMU-GA.EXE RUBY.EXE SECURECRT.EXE SKYPEAPP.EXE SNAGIT32.EXE TOMCAT7.EXE UEDIT32.EXE WINRAR.EXE WINWORD.EXE YOURPHONE.EXE It will then create a batch file named clearnetworkdns_11-22-33.bat that will be executed soon after the ransomware is launched. This batch file will disable Windows's automatic startup repair, remove shadow volume copies, and then resize them in order to clear orphaned shadow volume copies. The ransomware will then begin to encrypt a victims files. When encrypting files it will append the .Clop or .CIop extension to the encrypted file's name. It will also create a ransom note named CIopReadMe.txt that is now indicating that they are targeting an entire network rather than an individual computer. The ransom note saids the following: ------------------------Your networks has been penetrated--------------------------------------- All files on each host in the networks have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F-8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. No DECRYPTION software is AVAILABLE in the PUBLIC - DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT RESET OR SHUTDOWN – FILES MAY BE DAMAGED DO NOT RESET OR SHUTDOWN – FILES MAY BE DAMAGED DO NOT RESET OR SHUTDOWN – FILES MAY BE DAMAGED ---THIS MAY LEAD TO THE IMPOSSIBILITY OF RECOVERY OF THE CERTAIN FILES--- ---ALL REPAIR TOOLS ARE USELESS AND CAN DESTROY YOUR FILES IRREVERSIBLY--- If you want to restore your files write to email. ARE AT THE BOTTOM OF THE SHEET and attach 4-6 encrypted files! than 7 Mb each, non-archived and your files should not contain valuable information!!! [Databases,large excel sheets, backups etc...]!!! ***You will receive decrypted samples and our conditions how to get the decoder*** *^*ATTENTION*^* =YOUR WARRANTY - DECRYPTED SAMPLES= -=-DO NOT TRY TO DECRYPT YOUR DATA USING THIRD PARTY SOFTWARE-=- -=-WE DONT NEED YOUR FILES AND YOUR INFORMATION-=- CONTACTS E-MAILS: unlock@eqaltech.su AND unlock@royalmail.su OR kensgilbomet@protonmail.com _-_ATTENTION_-_ In the letter, type your company name and site! ***The final price depends on how fast you write to us*** ^_*Nothing personal just business^_* CLOP^_- ---------------------------------------------------------------------------------------------- This ransom note also contain the emails unlock@eqaltech.su, unlock@royalmail.su, and kensgilbomet@protonmail.com that can be used to contact the attackers for payment instructions. Category:Ransomware Category:Win32 ransomware Category:Microsoft Windows Category:Win32 Category:Win32 trojan Category:Trojan